Malware Engineering S. Katzenbeisser, C. Schallhart, H. Veith Institut fur¨ Informatik, Technische Universitat¨ Munchen¨ Boltzmannstrasse 3, D-85748 Garching bei Munchen¨ {katzenbe,schallha, veith}@in.tum.de Abstract: Starting from simple hand-crafted viruses, today’s malware has evolved to constitute highly infectious computer diseases. The technical development of malware was mainly driven by the wish to improve and accelerate both attacks and proliferation. Although these programs have incurred significant hazard and financial losses, their mechanisms are relatively simple and are amenable to effective countermeasures— once, the first attack has been launched. From a software technology point of view, malicious software in fact is often very similar to network services with the main difference that security holes are exploited to enforce participation in the protocol. In this position paper we outline the wide range of possible malware-specific engi- neering techniques which are not used in known viruses and worms, but are technically feasible and will therefore be realized in the foreseeable future—less likely by hackers than by organized illegal entities. The techniques we describe enable the malware to obfuscate its functionality, monitor and analyze its environment, and modify or extend itself in non-trivial ways. Consequently, future security policies and risk assessments have to account for these new classes of malware. WE ARE THEIR FOOD.THOSE GERMS OF THE PAST THAT BEST CONVERTED OUR BODIES INTO THEIR OWN PROPAGATION ARE THE GERMS OF THE PRESENT.THOSE GERMS OF THE PRESENT THAT BEST CONVERT OUR BODIES INTO THEIR OWN PROPAGATION ARE THE GERMS OF THE FUTURE. Paul W. Ewald [Ewa00] 1 Introduction On March 19, 2004 at approximately 8:45pm PST, a new worm—later named Witty—was found in the wild. Witty, a program of only 700 bytes, targeted a buffer overflow in sev- eral Internet Security Systems (ISS) products. In just 45 minutes, Witty managed to infect 12.000 machines all over the world, which constitutes almost the entire vulnerable popu- lation [SM04, WE04]. Although the total number of infected machines was too low for sensational press coverage, Witty marks a paradigm shift in malware: Witty distinguished itself from previous viruses in that it carried a particularly destructive payload, was error- free and was launched in an organized manner from a set of compromised hosts. But most 139 importantly, Witty spread through a relatively small population in record time, only one day after the ISS vulnerability was published. As Bruce Schneier later wrote [Sch04]: “Witty represents a new chapter in malware. If it had used common Windows vulnerabilities to spread, it would have been the most damaging worm we have seen yet.” During the last years, the number of known viruses and worms has been growing almost exponentially. The number of infected computers has risen with each new generation of malware: whereas CodeRed (2001) infected “only” about 359.000 hosts, the versions of the Sasser (2004) worm together infected about 1 million machines. Recently the first Bluetooth worm has been discovered [Blu04]. This shows that worm authors got interested in targeting the increasing number of ubiquitous and mobile devices. We can expect this trend to continue in the near future. While the first worms were apparently written for the cynical entertainment of the authors, we expect that explicitly criminal worms targeted at commercial fraud (e.g., access for sale [SS03]), will become an increasingly dangerous threat. In fact, worms arguably present a substantial threat to the world economy. Weaver and Paxson [WP04] estimate that a worst-case worm could cost the US economy $50 billion in direct economic damage, not counting indirect costs caused by power outages, transportation delays, general interrup- tions in the industrial supply chain, etc. In the hands of highly skilled malevolent experts, these economic vulnerabilities may turn virus and worm technology into a weapon. This position paper expresses our conviction that the technological possibilities for sys- tematically engineering malware have hardly been explored so far. In this paper we con- centrate on computer worms; however the techniques can be adapted to other types of malware, too. Notwithstanding their destructiveness, today’s worms are relatively sim- ple pieces of hand-crafted software performing straightforward mechanisms which makes them amenable to effective countermeasures. In fact, from a software technology point of view, today’s worms are structurally similar to system software which goes the direct way to provide an intended (malicious) functionality by utilizing security exploits. Most of innovation in the past years concerned the attack mechanism, which makes attacks fast and vicious but constitutes a relatively simple-minded (though often effective) way of information warfare. In this paper, we will focus on natural technologies facilitating slower but possibly more dangerous attacks. Extrapolating the status quo. Starting with the Morris Internet worm in 1988, we have seen a permanent evolution in the world of malware. About ten years later, the first virus (ShareFun, 1997) spread through e-mail. Melissa (1999) was the fist worm performing mass mailings, while SirCam (2001) even contained its own SMTP client. Nimbda (2001) used multiple attacks to spread and Bibrog (2003) targeted various existing peer-to-peer schemes [KE03]. Kienzle and Elder [KE03] claim one can observe a lack of innovation in e-mail worms recently. In fact, most recent e-mail worms are just minor variations of well-known tech- niques: worm authors typically replace one security exploit by another, enhance the dis- tribution and target discovery mechanisms and modify the payload. This trend was also driven by the availability of virus toolkits which enable non-experts and script-kiddies to 140 create a huge zoo of related viruses. Still, most worms are naive, yet dangerous, pieces of software. The lack of recent innovation for several months does not indicate the lack of danger, as shown by Witty. In fact, we believe that the saturation of the known technology marks a technical boundary which is going to provoke a new cycle of innovation, characterized by a switch from hacker programming to malware engineering. What does malware engi- neering set apart from hacking? • Hand-crafted vs. engineered. Similar to the development of programming from Knuth’s art to Dijkstra’s science, we expect a corresponding development for ma- licious programming. There is a clear evolutional line from the first hand-crafted viruses over virus toolkits (designed to automatically generate new virus variants) towards well-engineered viruses and worms. • Savage vs. tactical. Traditional viruses and worms attempted to spread and attack as quickly as possible, similar to the influenza virus in nature. This makes them easily detectable (e.g., just by monitoring the network load); however, at this point it may be too late to stop their spreading efficiently. More refined tactics may combine slower infection rates with intelligent, goal-oriented behavior. • Covert vs. ostensible. The first worms essentially amounted to mobile code, mak- ing no attempts to obfuscate their content and existence. Polymorphic viruses present the first, but by no means the last, step towards advanced obfuscation tech- niques. Practical experiments [CJ04] have dramatically demonstrated that current virus detection software fails even for relatively simple syntactic modifications of malicious code. This situation clearly calls for the use of semantic methods, such as program analysis, for the sake of virus detection. • Dynamic vs. static. The traditional understanding of software implies a prede- termined functionality, with self-modifying code being a curiosity rather than an engineering principle. Well engineered viruses may employ randomized semantic program transformations and even accept a certain risk of code corruption in their replicas (“children”). • Exploit oriented vs. investigative. Many worms have been created in response to published vulnerabilities. An advanced worm may attempt to identify vulnerabilities on-the-fly (e.g., buffer overflows or open ports). • Ad hoc vs. well-tested. One of the most surprising features of Witty was its cor- rectness, in contrast to worms like Sasser. In the future, we expect to see more well-tested worms. To wrap up this argument, we believe that future malware technology will use semantically non-trivial methods to hit their target. The goal of this position paper is to focus on the issue of advanced malware technology. We will explore possible ways to realize the above mentioned lines of development. In 141 Section 2 we describe in detail various design principles. The new malware we describe will typically propagate more slowly. Section 3 deals in more detail with a suitable theo- retic notion of code obfuscation. Let us conclude the introduction with the following important note: it is evident that the ideas and methods presented in this paper are potentially dangerous and not intended for implementation. We do however strongly believe that these issues need to be raised and openly discussed within the research community early on. Only knowledge and analysis of future attack possibilities pave the way for feasible countermeasures. “Security by ignorance” is no better than “security by obscurity”. 2 Perspectives of Malware Engineering In computer science at large, the transition from hacking to software